Hi, yes.
In this context the discussion at IETF92 might be interesting: https://www.ietf.org/proceedings/92/minutes/minutes-92-sidr (search for "Extemporaneous Presentation") Cheers matthias On Tue, 14 Jun 2016, Hugo Slabbert wrote: > > On Mon 2016-Jun-13 17:53:45 -0500, Matthias Waehlisch > <[email protected]> wrote: > > > Hi, > > > > the creation of a ROA does not require the announcement of the prefix. > > Creation of a ROA, prefix announcement, and validation of the prefix are > > decoupled. If you are the legitimate resource holder you can create a > > ROA for this prefix (even if you don't advertise the prefix). As soon as > > the prefix is advertised, third parties can validate based on the > > created ROA. > > > > However, in case the hijacker is able to use the legitimate origin > > ASN, the validation outcome would be valid. You would need to assign the > > prefix to an ASN that cannot be hijacked or is dropped for other > > reasons. (Or do BGPsec. ;) > > Would this not be a valid use case for creating an ROA with origin AS 0? > > RFC7607[1] > > Autonomous System 0 was listed in the IANA Autonomous System Number > Registry as "Reserved - May be use [sic] to identify non-routed > networks" ([IANA.AS_Numbers][2]). > > [RFC6491] specifies that AS 0 in a Route Origin Attestation (ROA) is > used to mark a prefix and all its more specific prefixes as not to be > used in a routing context. This allows a resource holder to signal > that a prefix (and the more specifics) should not be routed by > publishing a ROA listing AS 0 as the only origin. To respond to this > signal requires that BGP implementations not accept or propagate > routes containing AS 0. > > RFC6491[3] > > AS 0 ROA: A ROA containing a value of 0 in the ASID field. > "Validation of Route Origination Using the Resource Certificate > Public Key Infrastructure (PKI) and Route Origination Authorizations > (ROAs)" [RFC6483] states "A ROA with a subject of AS 0 (AS 0 ROA) is > an attestation by the holder of a prefix that the prefix described in > the ROA, and any more specific prefix, should not be used in a > routing context. > > With the most detail in RFC6483[4]. > > Yes/no? > > > > > > > Cheers > > matthias > >
